For developers: Implement security

Sitefinity CMS can automatically demand permissions, provided that your code gives a little help in the process. This topic will give you a high-level overview of the things one must do to have security working. Details will be given in subsequent topics.

Here is a short algorith describing the steps that you have to undertake in order to have a secured module:

Decide which data items (model items) to secure and what security actions to perform on them.

Choose from the built-in permission sets or create new to suit your needs.

Decide on the permissions inheritance, if you are going to use granular permissions.

Implement ISecuredObject on your secured model classes.

Make your providers to initialize the security root

Secure provider methods with attributes

If you are not using OpenAccess, implement security hooks in your provider decorator.

Make your queries hide elements that do not have the view permission.

NOTE: Although Sitefinity CMS will demand for permissions and filter viewable items for you if you follow the steps, you should be aware of the DataProviderBase.SuppressSecurityChecksproperty. It is not directly accessible through the manager, but it is still accessible through the active provider. If set to true, all security checks/demands/filtering will be off. You should respect this setting when implementing your own secured module. Sitefinity CMS turns off security during project installation, so if you don't respect this setting, Sitefinity CMS will fail to install.